Data Security and Confidentiality
As used herein, the term shall mean “Client” agency licensed to use the AIMS software and related products; and the term “Vendor” shall mean Electronic Data Collection Corporation. In this Agreement, the party receiving information is generically referred to as the “Receiving Party,” and the party disclosing the information is generically referred to as the “Disclosing Party.”
a) Confidential Information Defined
In performance of this Agreement, parties may directly or indirectly disclose confidential information, proprietary information, or confidential data (“Confidential Information”).
“Confidential Information” shall include any data and/or information that is identified by either party as confidential (either orally or in writing) or is of such a nature that a reasonable person would understand such information to be confidential, including, but not limited to: (1) personal information of customers, employees, students, and/or donors, including but not limited to, images, names, addresses, Social Security numbers, e-mail addresses, telephone numbers, financial profiles, credit card information, driver’s license numbers, medical data, law enforcement records, educational records or other information identifiable to a specific individual that relates to any of these types of information (“Personal Information”); (2) business methods, plans, and practices, financial data, or customers lists; (3) trade secrets, inventions, methodologies, research plans, products, product plans, patent applications, and other proprietary rights, and any specifications, tools, computer programs, source code, object code, documentation, or technical information; or (4) any other proprietary information or data the Disclosing Party maintains in confidence.
Confidential Information shall not include information the Receiving Party can prove by clear and convincing written contemporaneous evidence is: (1) publicly known through no fault or negligence of the Receiving Party; (2) rightfully possessed by the Receiving Party prior to disclosure by the Disclosing Party; (3) rightfully obtained by the Receiving Party from a third party in lawful possession of such Confidential Information without obligation of confidentiality; (4) independently developed by the Receiving Party without reference to or use of Confidential Information; (5) required to be disclosed by law; or (6) necessary to disclose to prevent severe physical injury to or loss of life of an individual.
b) Use and Non-Disclosure of Confidential Information; Exceptions
Each party agrees to use the Confidential Information received from the other party only as expressly permitted in this Agreement or when reasonably necessary to perform the party’s duties under this Agreement so long as such disclosure is in accordance with applicable law. To the extent permitted by law, neither party will disclose to any third party the other party’s Confidential Information, in whole or in part, without the prior written consent of the party, or as provided for in this Agreement and in compliance with all applicable state and federal laws; provided however, Vendor may disclose Personal Information of Client data to third party with the written consent of that Client. Notwithstanding the foregoing, either party may disclose the Confidential Information or portions thereof to their respective attorneys or accountants when seeking legal or financial advice.
Vendor specifically warrants and represents that except as otherwise permitted herein, it will not in any manner disclose, disseminate, copy, sell, resell, sublicense, transmit, assign, or otherwise make available any of Client’s Confidential Information to any third party without the prior written permission of Client, and further warrants and represents that it will take all reasonable steps necessary to ensure that its authorized agents, employees, contractors or subcontractors having access to the Confidential Information shall not copy, disclose or transmit any of the Confidential Information, or any portion thereof, in any form, to a third party except as necessary to perform the Services under the Agreement.
c) Obligations to Secure Confidential Information
Vendor warrants and represents that it will implement the necessary industry-standard physical, electronic, and managerial safeguards to ensure the confidentiality, integrity, and availability of Client Confidential Information, including but not limited to, the environment in which the Confidential Information is stored, processed, and transmitted. Vendor further warrants and represents that such safeguards will in no event be less than the level of security Vendor uses to protect its own Confidential Information. Vendor shall require its contractors and subcontractors authorized to access Client’s Confidential Information pursuant to this Agreement to take similar industry-standard precautions in safeguarding the Confidential Information.
Vendor agrees to comply with all applicable state and federal statutes and regulations governing unauthorized access and disclosure of the Confidential Information including, but not limited to: (1) personally identifiable information from education records as defined in The Family Educational Rights and Privacy Act (“FERPA”) (20 U.S.C. § 1232g; 34 CFR Part 99), and regulations promulgated thereunder; (2) information that is subject to the security provisions of the Gramm-Leach-Bliley Act, 15 U.S.C., Subchapter 1, Sections 6801-6809 (Disclosure of Nonpublic Personal Information); and (3) individually identifiable “personal health information” as defined in the Health Information Portability and Accountability Act (“HIPAA”) regulations, 45 CFR Parts 160 and 164.
d) Obligations upon Breach of Security
Vendor will report to Client any breach of security resulting in the unauthorized disclosure, misappropriation or unauthorized access of Client Confidential Information (“Breach”). Vendor will promptly investigate any Breach affecting Client Confidential Information and take reasonable measures to identify the Breach’s root cause(s), mitigate its effects, and prevent a recurrence. Unless prohibited by law, Vendor will provide Client with a detailed description of the Breach, the type of data that was the subject of the incident, the identity of each affected person, and other information Client may reasonably request concerning the affected persons. The parties agree to coordinate in good faith on developing the content of any related public statements or any required notices for the affected persons.
e) Survival of Obligations
The obligation to maintain the confidentiality of the Confidential Information received by the other party will survive termination or expiration of this Agreement, and shall survive for a period of five (5) years thereafter. Except as otherwise set forth below, within sixty (60) days of the expiration or termination of this Agreement, Vendor shall, at Vendor’s option: (1) certify to Client that Vendor has destroyed all Confidential Information in its possession; or (2) return all media containing all Client Confidential Information to Client; or (3) take whatever other steps Client requires of Vendor to protect Client’s Confidential Information. Client reserves the right to audit, or investigate the use of Client Confidential Information collected, used, or acquired by Vendor or its employees, contractors or subcontractors pursuant to this Agreement. Any costs of such audit or investigation are the sole responsibility of Client.